I have a clean install of Windows Server 2008 Standard.I've assigned the machine a static, routable IP address. As documented, the machine creates a 6to4 tunnel. I've tested, and the IPv6 connectivity is working as expected.C:\Users\jaraco>ipconfig/allWindowsIPConfigurationHostName............:yojimbo...NodeType............:HybridIPRoutingEnabled........:NoWINSProxyEnabled........:No...EthernetadapterHardwireLAN:Connection-specificDNSSuffix.:Description...........:Intel(R)PRO/1000MTNetworkConnectionPhysicalAddress.........:00-0C-29-73-84-16DHCPEnabled...........:NoAutoconfigurationEnabled....:YesLink-localIPv6Address.....:fe80::6d86:a87f:4eff:86b8%10(Preferred)IPv4Address...........:65.222.166.37(Preferred)SubnetMask...........:255.255.255.0DefaultGateway.........:65.222.166.1DNSServers...........:65.222.166.35NetBIOSoverTcpip........:EnabledTunneladapterLocalAreaConnection*8:MediaState...........:Mediadisconnected...TunneladapterLocalAreaConnection*9:Connection-specificDNSSuffix.:Description...........:6TO4AdapterPhysicalAddress.........:00-00-00-00-00-00-00-E0DHCPEnabled...........:NoAutoconfigurationEnabled....:YesIPv6Address...........:2002:41de:a625::41de:a625(Preferred)DefaultGateway.........:2002:c058:6301::c058:6301DNSServers...........:65.222.166.35NetBIOSoverTcpip........:DisabledTunneladapterLocalAreaConnection*11:MediaState...........:Mediadisconnected... C:\Users\jaraco>ping -6 www.kame.net Pinging www.kame.net [2001:200:0:8002:203:47ff:fea5:3085] from 2002:41de:a625::41de:a625 with 32 bytes of data: Reply from 2001:200:0:8002:203:47ff:fea5:3085: time=255ms Reply from 2001:200:0:8002:203:47ff:fea5:3085: time=243ms However, the DNS server does not bind to the 6to4 address.C:\Users\jaraco>netstat -a -o -n | findstr /i listening | findstr :53 TCP 65.222.166.37:53 0.0.0.0:0 LISTENING 1284 TCP 127.0.0.1:53 0.0.0.0:0 LISTENING 1284 TCP [::1]:53 [::]:0 LISTENING 1284 TCP [fe80::6d86:a87f:4eff:86b8%10]:53 [::]:0 LISTENING 1284Why is this happening? ListenAddresses is not defined in the DNS Service Parameters. According to the documentation, the service should bind to all interfaces. If I go to the DNS Management Console, the only two addresses that appear to be listened to are the IPv4 address and the fe80:: address. How do I get the DNS service to bind to the 6to4 interface?

So, is it reasonable to assume that a non-response to this question means that Microsoft doesn't support DNS in IPv6? This seems contradictory to the IPv6 readiness claim. If I can't serve DNS on the only routable IPv6 address on the machine, that's a huge limitation.If the answer can't be found here on TechNet, can you recommend another forum where I might receive a response?Respectfully,Jason

Still no support for 6to4 DNS in Windows Server 2008.

Three levels of DNS security - Low-level securityAll DNS servers are configured to listen on all of their IP addresses.http://technet.microsoft.com/en-us/library/cc755131.aspxAccording to above article DNS should listen to all IP addresses.Give a shot to below command - i tried on one of my test machine but it shows 9552 error (Invalid IP)+ You can use below article to make it listen to specific IP - (DNSCMD command, /ResetListenAddresses)http://technet.microsoft.com/en-us/library/cc755068.aspx

ResetListenAddresses was no help. I also get 9552 DNS_ERROR_INVALID_IP_ADDRESS when I try to assign any IPv6 address other than the link local address (fe80::a004:25d3:c8bc:79c4 in this case). Link local works fine. C:\Users\jaraco>dnscmd /resetlistenaddresses fe80::a004:25d3:c8bc:79c4 ListenAddresses reset successful. Command completed successfully. But using the 6to4 address fails. C:\Users\jaraco>dnscmd /resetlistenaddresses 2002:41de:a625::41de:a625 DNS Server failed to reset listen addressess. Status = 9552 (0x00002550) Command failed: DNS_ERROR_INVALID_IP_ADDRESS 9552 Here's the DNS info. C:\Users\jaraco>dnscmd /info Query result: Server info server name = yojimbo.jaraco.com version = 17710006 (6.0 build 6001) DS container = cn=MicrosoftDNS,cn=System,DC=jaraco,DC=com forest name = jaraco.com domain name = jaraco.com builtin forest partition = ForestDnsZones.jaraco.com builtin domain partition = DomainDnsZones.jaraco.com read only DC = 0 last scavenge cycle = not since restart (0) Configuration: dwLogLevel = 00000000 dwDebugLevel = 00000000 dwRpcProtocol = FFFFFFFF dwNameCheckFlag = 00000002 cAddressAnswerLimit = 0 dwRecursionRetry = 3 dwRecursionTimeout = 8 dwDsPollingInterval = 180 Configuration Flags: fBootMethod = 3 fAdminConfigured = 1 fAllowUpdate = 1 fDsAvailable = 1 fAutoReverseZones = 1 fAutoCacheUpdate = 0 fSlave = 1 fNoRecursion = 0 fRoundRobin = 1 fStrictFileParsing = 0 fLooseWildcarding = 1 fBindSecondaries = 0 fWriteAuthorityNs = 0 fLocalNetPriority = 1 Aging Configuration: ScavengingInterval = 0 DefaultAgingState = 0 DefaultRefreshInterval = 168 DefaultNoRefreshInterval = 168 ServerAddresses: Ptr = 00000000002C3A20 MaxCount = 2 AddrCount = 2 Addr[0] => af=23, salen=28, [sub=0, flag=00000000] p=13568, addr=fe80::a004:25d3:c8bc:79c4 Addr[1] => af=2, salen=16, [sub=0, flag=00000000] p=13568, addr=65.222.166.37 ListenAddresses: NULL IP Array. Forwarders: Ptr = 00000000002C3AE0 MaxCount = 2 AddrCount = 2 Addr[0] => af=2, salen=16, [sub=0, flag=00000000] p=13568, addr=4.2.2.1 Addr[1] => af=2, salen=16, [sub=0, flag=00000000] p=13568, addr=4.2.2.2 forward timeout = 3 slave = 1 Command completed successfully. Would Microsoft please acknowledge this might be a bug so it can be addressed at some point?

To be clear, the dnscmd /info was run after resetting the ListenAddresses back to default.

This won't work with server 2008 SP1.Issue has been fixed with SP2 for server 2008.

Thanks. I look forward to it.

I recently upgraded to SP2 on Server 2008, but the behavior is the same. With ListenAddresses undefined, the DNS service binds only to the localhost and link-local IPv6 addresses. The 'dnscmd /resetlistenaddresses' command still returns DNS_ERROR_INVALID_IP_ADDRESS when the 6to4 address is supplied.

Any suggestions on this issue? Is there any way to get Windows Server 2008 SP2 to serve DNS on a 6to4 IPv6 address?

I ran these same tests on Windows Server 2008 R2, and it appears to have the same limitations. I guess the answer is that if you want to run DNS on IPv6, you'd better be prepared to shell out for a native IPv6 infrastructure or use something other than Microsoft DNS.

to remove ISATAP from the DNS global query block list from an elevated prompt - dnscmd /config /globalqueryblocklist wpad Tested and working in 2008 SP2 (enterprise).

Interesting. I'll look into it. However, I don't think it applies. I'm using 6to4 tunneling, not ISATAP tunneling. I tried your suggestion on Windows Server 2008 SP1, and it doesn't have any effect there. A transcript is below. I will test on a 2008 R2 server later. PS C:\Users\jaraco> dnscmd /info /globalqueryblocklist Query result: String: wpad String: isatap Command completed successfully. PS C:\Users\jaraco> dnscmd /config /globalqueryblocklist wpad Registry property globalqueryblocklist successfully reset. Command completed successfully. PS C:\Users\jaraco> net stop dns The DNS Server service was stopped successfully. PS C:\Users\jaraco> net start dns The DNS Server service is starting. The DNS Server service was started successfully. PS C:\Users\jaraco> netstat -a -o -n | findstr /i listening | findstr :53 TCP 10.0.11.43:53 0.0.0.0:0 LISTENING 6716 TCP 66.92.166.119:53 0.0.0.0:0 LISTENING 6716 TCP 127.0.0.1:53 0.0.0.0:0 LISTENING 6716 TCP [::1]:53 [::]:0 LISTENING 6716 TCP [fe80::6941:778f:8b12:3562%10]:53 [::]:0 LISTENING 6716 PS C:\Users\jaraco> ipconfig Windows IP Configuration ... Tunnel adapter Local Area Connection* 9: Connection-specific DNS Suffix . : IPv6 Address. . . . . . . . . . . : 2002:425c:a677::425c:a677 Default Gateway . . . . . . . . . : 2002:c058:6301::c058:6301 PS C:\Users\jaraco> ping 2002:425c:a677::425c:a677 Pinging 2002:425c:a677::425c:a677 from 2002:425c:a677::425c:a677 with 32 bytes of data: Reply from 2002:425c:a677::425c:a677: time<1ms Ping statistics for 2002:425c:a677::425c:a677: Packets: Sent = 1, Received = 1, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms PS C:\Users\jaraco> nslookup www.jaraco.com ::1 Server: UnKnown Address: ::1 Name: teach.jaraco.com Address: 66.92.166.119 Aliases: www.jaraco.com PS C:\Users\jaraco> nslookup www.jaraco.com 2002:425c:a677::425c:a677 Server: UnKnown Address: 2002:425c:a677::425c:a677 *** UnKnown can't find www.jaraco.com: No response from server

Indeed, I tested on Server 2008 R2 (enterprise) and it doesn't work. Thanks for the suggestion. If you can demonstrate a Windows Server 2008 responding to DNS on a 6to4 address, I would be very interested to hear how you configured it.

@ Jason R. Coombs- Any update on this issue? I have encountered a similar situation with Server 2008 R2, but with Teredo - DNS won't listen on a Teredo address either. Thanks.

My only solution has been to write a DNS proxy that binds to ::0 and relays requests to ::127.0.0.1. The code I use to do this is here: http://bitbucket.org/jaraco/jaraco.net/src/tip/jaraco/net/dns.py To use this code, you’ll probably want to know something about Python on Windows. If you don’t here’s the basics you’ll need to get it installed. 1) Install Python 2.7 from python.org 2) Install pywin32 from sourceforge 3) Install distribute (http://pypi.python.org/pypi/distribute ) or setuptools 4) \python27\scripts\easy_install jaraco.net 5) Install/start the DNS relay service using \python27\scripts\dns-forwarding-service Regards, Jason

Jason- Thanks for the quick reply and the script. I think I got the x64 versions of python 2.7 and pywin installed and downloaded distribute and ran your script. It seems to run by default under the Local System account. The DNS Forwarding Service appears in the services.msc GUI, but if I try to start it from there, it starts and stops. Is that normal? Also, how to actually get the desired (Teredo, in my case) IPv6 address registered?

It sounds like you have the service set up correctly. It does install as the system user by default, though I think you can specify a user when you install it. In any case, the immediate stop failure is probably a missing dependency or a bug in the code. I'll investigate and report back.

1. Is it necessary to run any other script besides dns-forward-service-script.py? 2. Is it necessary to edit the script to specify the IPv6 address to listen on? 3. If so, how? The problem may be my lack of experience with Python. Thanks.

y You're quite right. I apologize. It's been a long time since I've looked at that code. 1) You should only have to run dns-forward-service.exe or dns-forward-service-script.py. 2) In jaraco.net 1.1, that was a shortcoming. 3) The code in c:\python27\lib\site-packages\jaraco.net-1.1-py2.7.egg\jaraco\net\dns.py would need to be customized (search for _listen_host). However, don't do that. I've improved the package and released version 1.2, which adds an option to the 'install' and 'update' commands of the service. So, first upgrade to the latest release. easy_install -U jaraco.util or get 1.2 specifically easy_install jaraco.util==1.2 Then, run the update command and provide the address to which to bind. dns-forwarding-service -b 2002:abcd:ef12::abcd:ef12 update Then, you should be able to start the service, and it will bind to the specified address. If you don't specify the address, it will default to ::0, which isn't the best idea for two reasons. First, if it starts before the Microsoft DNS, it will supercede, and will probably enter an infinite loop on every request. Second, it may fail to bind to ::0 if some IPs are already bound (I haven't tested). In any case, I strongly recommend you use the -b parameter. Regards, Jason

Jason- I updated the DNS Forwarding service as you described. The service forwarded queries directed to my server's Teredo address to 127.0.0.1, as designed. I had to set its start type to Delayed Automatic; it wouldn't start in reboot if the start type was plain Automatic. However, even with the DNS Forwarding service, my Teredo interface did not register in DNS. My interest was to run a Domain Controller as a DirectAccess client, and the missing link was that the Teredo interface was not registering in DNS on the client DC (althought it was registering in DNS or the corpnet DC). This in turn led to the client DC's DNS record overwriting its replica on corpnet DNS and breaking replication. Thanks.

The goal of the DNS Forwarding Service is not to configure the interface to register with a DNS server, but only to forward requests to a DNS server (so the DNS Server will actually respond to requests on the IPv6 address). However, there is another shortcoming with Windows Server 2008 R2 where the DNS Server automatically publishes all of its own addresses but neglects to include the tunneled IPv6 addresses and the PublishAddresses key doesn't support IPv6 . I guess it would be possible to write yet another workaround for that issue, whereby a service will add the appropriate AAAA entries for the DNS server after the DNS server has started, but I haven't written anything to this effect.

I don't know if this is relevant to the idea of writing another service, but I noticed that a manually-added AAAA record for the DA-client DC-DNS server's own Teredo address is automatically deleted within a short time. The DNS server may be hard-coded to reject addresses for its own name except for addresses that it listens on.